Windows 10’s Security Reboot, Part I: Authentication

There’s incredible excitement about the Windows 10 release. If you completely quantum leap over Windows 9, you’d expect big things. In December, I was talking with NYU-Poly’s Professor Justin Cappos. He’s a security expert and had nothing but high praise for Microsoft’s security group. But he added their cutting-edge research doesn’t necessarily make it into their products.

With Windows 10 officially launched in January, it looks like the security researchers have finally gotten their way.

The End of Pass the Ticket and Pass the Hash?

While Cortana and HoloLens may have stolen the show at the launch event, the other exciting news–at least for us security geeks –is that Microsoft is planning a complete revamp of its rusting security infrastructure.

Jim Alkove, the Windows 10 product manager, gave us all a heads-up about what to expect in a post he published back in October. That was also about the time that Microsoft released the Windows 10 Technical Preview, which you’re free to download and try out on a spare PC or in a virtual machine (VM).

In my next few posts, I’ll take up some of the major changes in authentication and data security that are currently slated. The caveat is that none of this is completely finalized. The official release of Windows 10 is year away.

In any case, Alkove says that Windows 10 “aims to eliminate” — long pause — Pass the Hash and Pass the Ticket.

Loyal Metadata Era readers know that we’ve dived somewhat deep into the PtH and PtT waters. And we’ve also written an ebook covering these two hash stealing approaches as well as other attacks used against Microsoft’s NTLM authentication protocol.

For those just tuning in, the key point is that both Windows and Linux never store plain-text passwords. That’s just Security 101. Instead they perform a one-way encryption of the password, known as a hash, and keep that instead. By all means, read Rob’s hashing post.

Unfortunately, in Windows, the password hash is equivalent to the password in terms of the power it gives you—the fancy crypto-speak for this is plain-text equivalent. In other words, hackers who are able to get inside a Windows system—and that’s easily accomplished through phishing—just need to collect password hashes to masquerade as other users.

Where do they find these hashes? Windows keeps them around in the Local Security Authority Subsystem Service (LSASS). Essentially, they’re stored in memory on a user’s laptop or desktop device.

Containers Are the Answer

Having these powerful password hashes on users’ machines instead of storing them in a safe central location is a feature (not a bug) of Single Sign On (SS0). With SSO enabled in most organizations, Windows can reuse the password hash in LSASS—remember, it’s equivalent to the password—without inconveniencing the user.

Hackers have been very effective at exploiting this feature of SSO. Using malware such as mimikatz, they’re able to easily scoop up the hashes from memory, effectively stealing user credentials without having to know the password itself.

With Window 10, though, Microsoft hopes to stomp out these tools by placing the hashes in a walled off part of memory–technically they’ll put the LSASS in its own VM.

Microsoft, of course, has developed a VM technology, known as Hyper V, and in this latest Windows version, it looks like they plan to take more advantage of it.

It’s way too early to say whether this approach will succeed in blocking Pass the Hash and Pass the Ticket—the devil is always in the implementation details.

We’ll continue with our overview of Windows 10 security in our next post, where we will take up other authentication changes. This includes multi-factor authentication, tighter integration with enterprise PKI, and we’ll learn about FIDO and security ecosystems.

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.